Global leader in cyber security artificial intelligence, Darktrace, has released a new cyber-threat trend report revealing 2022 attack data observed across its global retail customer fleet.

Darktrace fleet data shows that the global retail sector experienced an increase in credential theft, credential spoofing and credential stuffing. Unusual Login and New Email Rule (SaaS)’ accounted for almost 70% more of all cyber incidents in the sector in 2022 compared to 2021.

The retail sector is evolving to meet this growing threat by investing in state-of-the-art security measures. According to forecasts, global security revenues in retail are headed for strong growth in the next few years, growing from $7 billion in 2019 to reach $12 billion by 2025.

Commenting on the report findings, Darktrace director of enterprise security for Asia Pacific and Japan, Tony Jarvis said, “We have seen an increased digitisation of the retail industry, partly due to more retailers moving online, but also as a result of digitising logistics, sales analytics, and increasingly automated supply chains.

“These changes increase a retailer’s attack surface, giving threat actors additional pathways to compromise an intended victim. The price of a breach is high, as data breaches affecting retailers often receive significant media coverage. The financial consequences of data theft extend to both customers in the form of identity theft and retailers themselves by way of fines and legal costs, while retailers also suffer reputational damage in the wake of such events.”

Given how a data breach can begin with the simple act of “logging on” if user credentials have been exposed, it is wise to focus on securing user identities, according to Jarvis.

“MFA, or multi-factor authentication, should be used wherever possible as an additional layer of protection to ensure that users logging in are in fact the individuals that they claim to be. Retailers are also increasingly moving systems to the cloud, and with this, we are seeing an opportunity for criminals to target publicly accessible services if they are not adequately secured,” he said.

One area criminals are doubling down on is persistence, or the act of ensuring they can continue to access a victim’s environment after finding an initial entry point inside.

“This is often evidenced by attackers making unusual logins to an organisation’s environment (such as logging in from an unusual location, device, or at an unusual time of day for a given user). They may also involve rules being changed so that incoming email is forwarded to unauthorised parties before being deleted, giving criminals information needed to find a way into an environment while also covering their tracks in the process,” Jarvis said.